How to Develop a Risk Register

advertisement
Risk Register
The Risk Register records details of all the risks identified which have not
been eliminated and provides a mechanism for ongoing monitoring and
review of the suitability of the control strategies implemented.
Risks associated with activities and strategies and are identified then graded
in terms of likelihood of occurring and seriousness of impact.
Why would you develop a Risk Register?
As a formal document, the analysis contained in a risk register can be used to
document and improve workplace practices. The register can also be used to
notify senior managers of emerging risk exposures that warrant immediate
attention. Involving staff and other members of the community in the process
of compiling a risk register is likely to encourage a high level of ownership of,
and commitment to, organisational processes and activities.
The process of identifying and analysing risks is part of your risk management
system and should be undertaken where the controls are not obvious or a
level of ongoing risk remains.
Risk Registers
The risk register template consists of some headings and a table that reflects
the nature of the information that is to be addressed. The advantages of
using a single template as a record of risk analysis, evaluation, treatment and
monitoring actions is brevity and clear presentation of the logic which supports
the decision making process. Where risk management treatment plans are
required to be comprehensive it may be appropriate to supplement the
applicable risk register entry with a separate, supporting risk treatment plan.
The completed risk register should be brief and to the point, so it quickly
conveys the essential information. It should be updated on a regular basis.
Risk treatment actions should include such things as:
 Planned actions to reduce the likelihood a negative risk will occur
and/or reduce the seriousness should it occur (What should you do
now?)

Contingency actions - planned actions to reduce the immediate
seriousness of a negative risk when it does occur. (What should you do
when?)
Version 1, March 2009

Recovery actions - planned actions taken once a negative risk has
occurred to allow you to move on. (What should you do after?)

Risk Transfer (eg. Through assignment of contractual responsibilities
or insurance).

Eliminating risk by not undertaking a particular activity or action.

Actions necessary to ensure the realisation of opportunities (positive
risks)
Likelihood Rankings
(Positive or negative risks)
As a Guide Only – Likelihood rankings should be
calibrated, where necessary to ensure compliance
with applicable regulations, safety standards and
other tolerances that have been agreed with key
activity sponsors.
1
Rare
Once in 50 years/ Probability less than 2%
2
Unlikely
Once in 20 years / Probability less than 5%
3
Possible
Probability of 5% to 50%
4
Likely
Probability 50% to 90%
5
Almost Certain
Probability of 90% or more
Consequence Rankings
(Negative risks)
Injury/illness
1
Insignificant
Very minor injury or short term impact
2
Minor
Minor injury likely to be restricted to an individual.
3
Moderate
Injury of more than a minor nature to a few individuals,
likely to result in some absence from work.
4
Major
Risk event may lead to serious injury and incapacitation.
5
Catastrophic
Risk event may lead to a death or total and permanent
disablement to one or more individuals.
Note that risk events are not exclusive to any particular category. Key risk events
may need to be considered within the context of 2 or more risk categories.
Version 1, March 2009
Risk Rating
Grade: Combined effect of Likelihood/Seriousness As a Guide Only
Consequence Rating
Likelihood
1.
Insignificant
2. Minor
3. Moderate
4. Major
5. Catastrophic
A.. Almost Certain
L
M
H
E
E
B. Likely
L
M
H
E
E
C. Possible
L
L
M
H
E
D. Unlikely
L
L
M
H
H
E. Rare
L
L
L
M
H
(Adapted from AS/NZS 4360:2004, Risk Management).
Recommended actions for grades of negative risk
Grade
Risk mitigation actions
L
LOW: These risks should be recorded, monitored and controlled by the responsible
manager. Activities with unmitigated risks that are graded above this level should be
avoided.
M
MEDIUM: Mitigation actions to reduce the likelihood and seriousness to be identified and
appropriate actions to be identified and endorsed by a supervisor.
H
HIGH: If uncontrolled, a risk event at this level may have a significant impact on the
safety of employees or others. Mitigating actions need to be very reliable and should be
approved and monitored in an ongoing manner by managers.
E
EXTREME: Activities and projects with unmitigated risks at this level should be avoided
or eliminated. This is because risk events graded at this level have the potential to cause
serious injury.
Reference:
Australian, New Zealand Standard AS/NZ 4360: 2004 “Risk Management”
Version 1, March 2009
SAMPLE RISK REGISTER
Risk
ID
No.
Risk
Risk
Rating
Control strategies
Residual
likelihood
rating
(given
current
actions)
Residual
consequence
rating
Residual Are
Review
Risk
mitigating
date
rating
actions
effective /
efficient? Is
Risk Grade
Acceptable
(Yes or No)
4
Version 2, April 2012
Download